On 06/24/2013 07:48 AM, Milan Broz wrote:
Hm, seems like completely different problem.
I cannot check whats going on without more information here, ideally
- cryptsetup output with --debug switch
- tcryptDump (mainly offsets and data sizes stored there)
- exact sizes of partitions (fdils -l -u, blockdev --getsz /dev/sda* or so)
(but please note it will provide some info which is hidden, do not send it
if it is problem :-)
Hi,
here's the info. The open log is attached.
TCRYPT header information for /dev/sda
Version: 5
Driver req.: 7
Sector size: 512
MK offset: 106928640
PBKDF2 hash: ripemd160
Cipher chain: aes
Cipher mode: xts-plain64
MK bits: 512
# for i in /dev/sda*; do echo -n "$i: "; sudo blockdev --getsz $i; done
/dev/sda: 120103200
/dev/sda1: 208782
/dev/sda2: 62701695
/dev/sda3: 57192660
# fdisk -l -u
Disk /dev/sda: 61.5 GB, 61492838400 bytes, 120103200 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000bfd29
Device Boot Start End Blocks Id System
/dev/sda1 63 208844 104391 83 Linux
/dev/sda2 * 208845 62910539 31350847+ 7 HPFS/NTFS/exFAT
/dev/sda3 62910540 120103199 28596330 83 Linux
Ideally I would like to reproduce it, for my encrypted VM on partition
it works.
How did you create this config? ANy manipulations with apartitions after
system reencryption?
I did nothing peculiar to the system. Created the layout with gparted. I
did install grub2, but it also didn't work the truecrypt bootloader.
Also, something's off about the --key-file option with tcrypt. I can't
get it to accept my password from the file. But if I pipe it with cat
to stdin it works. Maybe it's supposed to be this way, but then I think
it needs extra mention in the manpage. And maybe there should be a way
to provide a --passphrase-file option or something along those lines
if the current handling is different to how its handled for luks.
So you are not using Truecrypt keyfile but just passphrase in file,
so pipe is the correct way. I thought it is explained in man page
but if not, it need some care. If you have some idea how to describe
it betrer, just send me a patch.
(And adding more otpion will cause even more chaos here :)
After re-reading it's a little clearer now. I still miss a way to
supply the passphrase in a file without resorting to piping it to stdin.
It's not an issue for luks since it allows passphrases and keyfiles
together, but truecrypt doesn't allow keyfiles in system mode.
Jan
# cryptsetup 1.6.2-git processing "cryptsetup --debug --tcrypt-system tcryptOpen /dev/sda windows"
# Running command open.
# Locking memory.
# Installing SIGINT/SIGTERM handler.
# Unblocking interruption on signal.
# Allocating crypt device /dev/sda context.
# Trying to open and read device /dev/sda.
# Initialising device-mapper backend library.
# STDIN descriptor passphrase entry requested.
# Trying to load TCRYPT crypt type from device /dev/sda.
# Crypto backend (gcrypt 1.5.2) initialized.
# Reading TCRYPT header of size 512 bytes from device /dev/sda.
# TCRYPT: trying KDF: pbkdf2-ripemd160-2000.
# TCRYPT: trying cipher aes-xts-plain64
# TCRYPT: trying cipher serpent-xts-plain64
# TCRYPT: trying cipher twofish-xts-plain64
# TCRYPT: trying cipher twofish-aes-xts-plain64
# TCRYPT: trying cipher serpent-twofish-aes-xts-plain64
# TCRYPT: trying cipher aes-serpent-xts-plain64
# TCRYPT: trying cipher aes-twofish-serpent-xts-plain64
# TCRYPT: trying cipher serpent-twofish-xts-plain64
# TCRYPT: trying cipher aes-lrw-benbi
# TCRYPT: trying cipher serpent-lrw-benbi
# TCRYPT: trying cipher twofish-lrw-benbi
# TCRYPT: trying cipher twofish-aes-lrw-benbi
# TCRYPT: trying cipher serpent-twofish-aes-lrw-benbi
# TCRYPT: trying cipher aes-serpent-lrw-benbi
# TCRYPT: trying cipher aes-twofish-serpent-lrw-benbi
# TCRYPT: trying cipher serpent-twofish-lrw-benbi
# TCRYPT: trying cipher aes-cbc-tcrypt
# TCRYPT: trying cipher serpent-cbc-tcrypt
# TCRYPT: trying cipher twofish-cbc-tcrypt
# TCRYPT: trying cipher twofish-aes-cbci-tcrypt
# TCRYPT: trying cipher serpent-twofish-aes-cbci-tcrypt
# TCRYPT: trying cipher aes-serpent-cbci-tcrypt
# TCRYPT: trying cipher aes-twofish-serpent-cbci-tcrypt
# TCRYPT: trying cipher serpent-twofish-cbci-tcrypt
# TCRYPT: trying cipher cast5-cbc-tcrypt
# TCRYPT: trying cipher des3_ede-cbc-tcrypt
# TCRYPT: trying cipher blowfish_le-cbc-tcrypt
# TCRYPT: trying cipher blowfish_le-aes-cbc-tcrypt
# TCRYPT: trying cipher serpent-blowfish_le-aes-cbc-tcrypt
# TCRYPT: trying KDF: pbkdf2-ripemd160-1000.
# TCRYPT: trying cipher aes-xts-plain64
# TCRYPT: Signature magic detected.
# TCRYPT: Header version: 5, req. 7, sector 512, mk_offset 106928640, hidden_size 0, volume size 32103267840
# TCRYPT: Header cipher aes-xts-plain64, key size 64
# Activating volume windows by volume key.
# dm version OF [16384] (*1)
# dm versions OF [16384] (*1)
# Detected dm-crypt version 1.12.1, dm-ioctl version 4.24.0.
# Device-mapper backend running with UDEV support enabled.
# dm status windows OF [16384] (*1)
# Calculated device size is 62701695 sectors (RW), offset 208845.
# Trying to activate TCRYPT device windows using cipher aes-xts-plain64.
# DM-UUID is CRYPT-TCRYPT-windows
# Udev cookie 0xd4df074 (semid 294912) created
# Udev cookie 0xd4df074 (semid 294912) incremented to 1
# Udev cookie 0xd4df074 (semid 294912) incremented to 2
# Udev cookie 0xd4df074 (semid 294912) assigned to CREATE task(0) with flags (0x0)
# dm create windows CRYPT-TCRYPT-windows OF [16384] (*1)
# dm reload windows OFW [16384] (*1)
device-mapper: reload ioctl on failed: Invalid argument
# Udev cookie 0xd4df074 (semid 294912) decremented to 1
# Udev cookie 0xd4df074 (semid 294912) incremented to 2
# Udev cookie 0xd4df074 (semid 294912) assigned to REMOVE task(2) with flags (0x0)
# dm remove windows OFW [16384] (*1)
# windows: Stacking NODE_DEL [verify_udev]
# Udev cookie 0xd4df074 (semid 294912) decremented to 1
# Udev cookie 0xd4df074 (semid 294912) waiting for zero
# Udev cookie 0xd4df074 (semid 294912) destroyed
# windows: Processing NODE_DEL [verify_udev]
# Releasing crypt device /dev/sda context.
# Releasing device-mapper backend.
# Unlocking memory.
Command successful.
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
